USBdriveby pwns Macs by pretending to be a keyboard and mouse

In just a few seconds, Samy Kamkar’s USB-pluggable device can make you sorry that you haven’t epoxied shut every USB port on your Mac. That’s all the time it takes for his attack to gain control of your system.

Kamkar calls the attack USBdriveby, and it’s a pretty accurate description of what happens. If your Mac happens to be left unlocked and someone can gain physical access for that long, he or she only has to plug in a device, unplug it, and walk away. While it’s inserted, the “stick” acts as both a keyboard and mouse, quickly sending the required keystrokes, mouse movements, and clicks to mess with a machine’s DNS settings — and set up a command and control interface.

While OS X normally displays security prompts that would prevent this kind of tampering, cleverly crafted Applescript and well-timed mouse movements — used to pass clicks onto the buttons of an automatically-repositioned window — are enough to sidestep that protection.

Kamkar’s attack is similar to BadUSB, though there’s one key difference. While both can impersonate other types of devices to trick a target computer into letting them pull of an attack, USBdriveby is built to run on an Arduino or Teensy. BadUSB, on the other hand, can “weaponize” any USB flash drive with reprogrammable firmware and a software-based USB stack.

If Kamkar’s name rings a bell, that’s because he’s the same researcher who concocted the Evercookie a few years back. Using JavaScript, Kamkar figured out how to set a cookie that’s virtually impossible for a user to get rid of. Now he — like so many other members of the security community — seems intent on sparking some kind of change when it comes to trust and USB. Let’s hope they succeed.

In the meantime, just make sure to lock your computer when you step away and maybe set up a few trip wires around your desk to keep unwanted butts out of your chair.